US6327662B1 - Security through the use of tokens and automatically downloaded applets - Google Patents

Security through the use of tokens and automatically downloaded applets Download PDF

Info

Publication number
US6327662B1
US6327662B1 US09/164,209 US16420998A US6327662B1 US 6327662 B1 US6327662 B1 US 6327662B1 US 16420998 A US16420998 A US 16420998A US 6327662 B1 US6327662 B1 US 6327662B1
Authority
US
United States
Prior art keywords
intermediate device
client
deliverable
security
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US09/164,209
Inventor
Kenneth Araujo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HP Inc
Hewlett Packard Enterprise Development LP
Original Assignee
3Com Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 3Com Corp filed Critical 3Com Corp
Priority to US09/164,209 priority Critical patent/US6327662B1/en
Assigned to 3COM CORPORATION reassignment 3COM CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ARAUJO, KENNETH
Application granted granted Critical
Publication of US6327662B1 publication Critical patent/US6327662B1/en
Assigned to HEWLETT-PACKARD COMPANY reassignment HEWLETT-PACKARD COMPANY MERGER (SEE DOCUMENT FOR DETAILS). Assignors: 3COM CORPORATION
Assigned to HEWLETT-PACKARD COMPANY reassignment HEWLETT-PACKARD COMPANY CORRECTIVE ASSIGNMENT TO CORRECT THE SEE ATTACHED Assignors: 3COM CORPORATION
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. reassignment HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEWLETT-PACKARD COMPANY
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. reassignment HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. CORRECTIVE ASSIGNMENT PREVIUOSLY RECORDED ON REEL 027329 FRAME 0001 AND 0044. Assignors: HEWLETT-PACKARD COMPANY
Assigned to HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP reassignment HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2564NAT traversal for a higher-layer protocol, e.g. for session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present invention generally pertains to the field of computer networking. More particularly, the present invention is related to and intermediate device representing clients to a central site.
  • Computers have become an integral tool used in a wide variety of different applications, such as in finance and commercial transactions, computer-aided design and manufacturing, health-care, telecommunication, education, etc. Computers are finding new applications as a result of advances in hardware technology and rapid development in software technology. Furthermore, a computer system's functionality is dramatically enhanced by coupling stand-alone computers together to form a computer network. In a computer network, users may readily exchange files, share information stored on a common database, pool resources, and communicate via e-mail and via video teleconferencing.
  • Computer networks can be arranged in numerous configurations comprising a variety of network types. Some of the most popular types of networks comprise Ethernet (coaxial cable or twisted-pair cable), token ring, Fiber Distributed Data Interface (FDDI), Frame Relay, Integrated Services Digital Network (ISDN), X.25, Synchronous Data Link Control (SDLC). Typically, these networks are arranged in local area networks (LANs) and wide area networks (WANs). Usually, LANs are distinguished from WANs based upon the geographical area they cover and sometimes the number of users connected to the network. For example, a group of personal computers (PCs) in a home or single business site (location) usually communicate with each other over a LAN. Groups of PCs disposed remote from one another, such as those in different homes, different companies, or different branch offices of the same company, typically communicate with each other over a WAN.
  • PCs personal computers
  • location usually communicate with each other over a LAN.
  • Groups of PCs disposed remote from one another such as those in different homes
  • NAT Network Address Translator
  • a NAT is associated with a primary LAN and facilitates the transmission of communication from the primary LAN to a central site (e.g. a Remote Access Server (RAS) at an Internet Service Provider (ISP)).
  • a central site e.g. a Remote Access Server (RAS) at an Internet Service Provider (ISP)
  • RAS Remote Access Server
  • ISP Internet Service Provider
  • the NAT allows several clients to share a common single connection to an ISP, thereby reducing the number of connections necessary to couple the numerous clients in the LAN to the ISP.
  • the NAT reduces the costs associated with coupling the numerous clients to the ISP. More specifically, instead of paying for a separate and distinct ISP account for each client in the LAN, only a single account (to connect the NAT to the ISP) need be purchased. Also, only a single globally routable Internet Protocol (IP) address is needed to be assigned by the RAS.
  • IP Internet Protocol
  • a conventional NAT translates a primary LAN address for a client to another network address associated with the NAT.
  • a NAT performs an address translation by mapping an address of the primary LAN to an address in another network. For example, a user on a PC attached to a LAN may have a particular LAN address but that LAN address would not necessarily be valid if the user tried to utilize the LAN address as an Internet Protocol (IP) source address when communicating with an ISP over a WAN.
  • IP Internet Protocol
  • one function a NAT typically provides is translation between a local LAN address (e.g. a local IP address) and a WAN address (e.g., an ISP designated source IP address).
  • NAT mapping techniques including static, dynamic, masquerading, etc. which are utilized in differing situations to meet a variety of design criteria.
  • NATs have several advantages associated therewith, conventional prior art NATs also have significant drawbacks associated therewith.
  • a particular client may seek to establish a link to, for example, a Remote Access Server (RAS).
  • RAS Remote Access Server
  • the NAT automatically establishes such a link when the user attempts to access a non-local internet site.
  • the NAT device interacts (i.e. establishes a link) with the RAS on behalf of the client.
  • RASs may require client authentication.
  • client authentication Such a request for client authentication will be received by the NAT, but can only be properly responded to by the client or a user thereof.
  • the NAT must, in some manner, communicate the received request for authentication to the appropriate client.
  • Many conventional NATs are simply unable to convey such a request for authentication to the appropriate client. As a result, the RAS will not communicate with the NAT and, in turn, the client.
  • each client on the LAN which is coupled to the NAT has a special application (e.g. a Terminate-and-Stay-Resident program) installed thereon.
  • a special application e.g. a Terminate-and-Stay-Resident program
  • This prior art approach has several substantial disadvantages.
  • a unique version of the special application must be written and installed for each client environment (i.e. the operating system of the client). That is, one version of the special application must be written for and installed on clients running, for example, Windows NTTM.
  • Another version of the special application must be written for and installed on clients running, for example, Windows 95TM.
  • Still another version of the special application must be written for and installed on clients running, for example, Windows 98TM, and so on.
  • This requirement is costly and time-consuming.
  • the clients must be monitored and a new version of the special application must be installed thereon if the client environment changes (e.g. a client environment of Windows 95TM is updated to Windows 98
  • the present invention provides a method and system for providing security during use of an intermediate device wherein the method and system allows a user of a client to be prompted for authentication information.
  • the present invention also provides a method and system which meets the above-listed need and which is independent of the operating system environment of the client to be authenticated.
  • the present invention further provides a method and system which meets the above listed needs and which does not require extensive consumer intervention or consumer sophistication.
  • an intermediate device includes memory.
  • the memory of the intermediate device is adapted to a store a deliverable security applet. Additionally, the intermediate device is configured to download the deliverable security applet to a desired location.
  • the present embodiment also includes a client which is coupled to the intermediate device. The client is adapted to receive the deliverable security applet from the intermediate device when the intermediate device downloads the deliverable security applet to the client. In so doing, the client can be prompted to respond to requests for authentication of the client when the requests for authentication of the client are received by the intermediate device.
  • the present invention includes the features of the above-described embodiment and further recites that the intermediate device is a Network Address Translator (NAT).
  • NAT Network Address Translator
  • the present invention includes the features, of the first above-described embodiment and further recites that the deliverable security applet is adapted to run on multiple client operating systems.
  • FIG. 1 is a schematic diagram of an exemplary computer system used to perform steps of the present method in accordance with one embodiment of the present invention.
  • FIG. 2 is a schematic representation of a system for providing security during use of an intermediate device which represents clients to a central site in accordance with one embodiment of the present invention.
  • FIG. 3 is a schematic representation of an intermediate device for providing security during representation of clients to a central site in accordance with one embodiment of the present invention.
  • FIG. 4 is a flow chart of steps performed in accordance with one embodiment of the present claimed invention.
  • FIG. 5 is a flow chart of steps performed in accordance with one embodiment of the present claimed invention.
  • FIG. 1 illustrates an exemplary computer system 100 used to perform the present invention. It is appreciated that system 100 of FIG. 1 is exemplary only and that the present invention can operate within a number of different computer systems including general purpose networked computer systems, embedded computer systems, and stand alone computer systems. Furthermore, as will be describe d below in detail, the components of computer system 100 reside, for example, in a client computer and/or in the intermediate device of the present system and method. Additionally, computer system 100 of FIG. 1 is well adapted having computer readable media such as, for example, a floppy disk, a compact disc, and the like coupled thereto. Such computer readable media is not shown coupled to computer system 100 in FIG. 1 for purposes of clarity.
  • System 100 of FIG. 1 includes an address/data bus 102 for communicating information, and a central processor unit 104 coupled to bus 102 for processing information and instructions.
  • Central processor unit 104 may be an 80 ⁇ 86-family microprocessor.
  • System 100 also includes data storage features such as a computer usable volatile memory 106 , e.g. random access memory (RAM), coupled to bus 102 for storing information and instructions for central processor unit 104 , computer usable non-volatile memory 108 , e.g. read only memory (ROM), coupled to bus 102 for storing static information and instructions for the central processor unit 104 , and a data storage unit 110 (e.g., a magnetic or optical disk and disk drive) coupled to bus 102 for storing information and instructions.
  • RAM random access memory
  • ROM read only memory
  • System 100 of the present invention also includes an optional alphanumeric input device 112 including alphanumeric and function keys is coupled to bus 102 for communicating information and command selections to central processor unit 104 .
  • System 100 also optionally includes a cursor control device 114 coupled to bus 102 for communicating user input information and command selections to central processor unit 104 .
  • System 100 of the present embodiment also includes an optional display device 116 coupled to bus 102 for displaying information.
  • computer system 100 of the present embodiment includes feature 118 for connecting computer system 100 to a LAN.
  • optional display device 116 of FIG. 1 may be a liquid crystal device, cathode ray tube, or other display device suitable for creating graphic images and alphanumeric characters recognizable to a user.
  • Optional cursor control device 114 allows the computer user to dynamically signal the two dimensional movement of a visible symbol (cursor) on a display screen of display device 116 .
  • cursor control device 114 are known in the art including a trackball, mouse, touch pad, joystick or special keys on alphanumeric input device 112 capable of signaling movement of a given direction or manner of displacement.
  • a cursor can be directed and/or activated via input from alphanumeric input device 112 using special keys and key sequence commands.
  • the present invention is also well suited to directing a cursor by other means such as, for example, voice commands. A more detailed discussion of the method and system embodiments of the present invention are found below.
  • the present embodiment includes several clients 202 , 204 , and 206 .
  • clients 202 , 204 , and 206 are personal computers (PCs), however, although the clients are PCs in the present embodiment, the present invention is also well suited to an embodiment in which clients 202 , 204 , and 206 are comprised of devices other than PCs (e.g.
  • Clients 202 , 204 , and 206 of the present embodiment may contain, for example, the features of computer system 100 described above in detail in conjunction with FIG. 1 . Additionally, although only three clients 202 , 204 , and 206 are shown for purposes of clarity, the present invention is also well suited to a system having a greater or lesser number of clients.
  • clients 202 , 204 , and 206 are coupled together via a local area network (LAN) 208 .
  • LAN local area network
  • clients 202 , 204 , and 206 are able to communicate with each other.
  • LAN 208 is shown in the present embodiment, the present invention is also well suited to use with various other networks configurations such as, for example, a wide area network (WAN).
  • WAN wide area network
  • the present embodiment also includes an intermediate device 210 .
  • intermediate device 210 is coupled to LAN 208 .
  • intermediate device 210 is able to communicate with each of clients 202 , 204 , and 206 .
  • intermediate device 210 is a network address translator (NAT).
  • NAT network address translator
  • the present invention is also applicable to intermediate devices other than a NAT.
  • Intermediate device 210 of the present embodiment may contain, for example, the features of computer system 100 described above in detail in conjunction with FIG. 1 .
  • intermediate device 210 is configured to be coupled via a single connection 212 to a WAN 214 and then to RAS 216 .
  • clients 202 , 204 , and 206 are able to access RAS 216 via intermediate device 210 , single connection 212 and WAN 214 .
  • RAS 216 is, in turn, coupled to, for example, the internet 218 .
  • FIG. 2 it will be understood that the present invention is also well suited to operating in a system which is configured differently than the system shown in FIG. 2 .
  • intermediate device 210 includes memory 302 , a downloader 304 , and a user interface 306 .
  • Memory 302 of the present embodiment is adapted to a store a deliverable security applet therein.
  • Downloader 304 is adapted to download the deliverable security applet from intermediate device 210 to a client(s) 202 , 204 , and 206
  • User interface 306 is adapted to allow a user of intermediate device to, for example, configure various operating parameters of intermediate device 306 .
  • user interface 306 is, for example, a keypad, a display, and the like. The operation of the present embodiment including intermediate device 210 is set forth in detail below.
  • Flow chart 400 includes processes of the present invention which, in one embodiment, are carried out by a processor under the control of computer-readable and computer-executable instructions.
  • the computer-readable and computer-executable instructions reside, for example, in data storage features such as computer usable volatile memory 106 and/or computer usable non-volatile memory 108 of FIG. 1 .
  • the computer-readable and computer-executable instructions are used to control or operate in conjunction with, for example, central processing unit 104 of FIG. 1 .
  • central processing unit 104 of FIG. 1 As mentioned above, the features of the computer system of FIG.
  • intermediate device 210 of FIGS. 2 and 3 is coupled to LAN 218 of FIG. 2 .
  • intermediate device 210 is able to communicate with clients 202 , 204 , and 206 of FIG. 2 .
  • intermediate device 210 is a NAT.
  • intermediate device 210 has a deliverable security applet stored in memory 302 thereof. In the present embodiment, the deliverable security applet is adapted to run on multiple client operating systems.
  • the present deliverable security applet is initially stored in the memory of intermediate device 210 , and the present deliverable security applet is not specifically written for any particular client environment or client operating system. That is, in one embodiment, the present invention takes advantage of JAVA which runs on the JAVA Virtual Machine. Hence, the JAVA applet is independent of the client operating system.
  • the present embodiment determines whether selected clients 202 , 204 , and 206 have the deliverable security applet installed thereon.
  • the deliverable security applet is executable on a browser program running on clients 202 , 204 , and 206 .
  • clients 202 , 204 , and 206 have a browser program running thereon. If the selected clients 202 , 204 , and 206 already have the deliverable security applet running thereon, the present embodiment proceeds to step 408 . If the selected clients 202 , 204 , and 206 do not have the present deliverable security applet loaded thereon the present invention proceeds to step 406 .
  • the present embodiment downloads the present deliverable security applet from memory 302 of intermediate device 210 to the desired clients 202 , 204 , and 206 via downloader 304 of FIG. 3 .
  • the present embodiment downloads the present deliverable security applet directly from intermediate device 210 onto a selected client or clients.
  • an unsophisticated consumer is able to load the present deliverable security applet onto a selected client simply by coupling intermediate device 210 to LAN 208 .
  • the present deliverable security applet is not specifically written for any particular client environment or client operating system.
  • the present deliverable security applet eliminates the need to write and install on each client a unique version of a special application. Therefore, the present invention does not require a user to monitor each client environments and install (and/or update) the versions of special application. Instead, the present deliverable security applet functions regardless of the operating system of the client.
  • deliverable security applet is a JAVA applet which executes on a browser program running on the client.
  • the present deliverable security applet causes the client to be prompted to respond to requests for authentication of the client when such requests for authentication are received by intermediate device 210 .
  • the present embodiment is also well suited to downloading the present deliverable security applet to a selected at least one of a plurality of clients 202 , 204 , and 206 . That is, a user of intermediate device 210 is able to selectively download the present deliverable security applet from intermediate device 210 to only a desired client or clients. In such a case, a user configures intermediate device 210 using, for example, user interface 306 , such that the present deliverable security applet is downloaded only to the desired client or clients.
  • a client 202 , 204 , or 206 seeks to access RAS 218 . This occurs, for example, when the client 202 , 204 , or 206 sends non-local data which results in a call being placed to RAS 216 so that the internet can be accessed.
  • intermediate device 210 establishes a link between intermediate device 210 and RAS 216 via single connection 212 and WAN 214 .
  • RAS 216 sends a request for authentication of the client.
  • the request for authentication sent from RAS 216 is then received at intermediate device 210 .
  • the authentication information is not present at intermediate device 210 . Instead, the authentication information must be provided by the appropriate client or a user thereof.
  • One example of an authentication requires that the user of the client carry a token and be aware of an associated personal identification number (PIN).
  • PIN personal identification number
  • the token generates a time-variable identification number.
  • RAS 216 will know which identification number should be generated by the token at a particular time.
  • the user then enters the PIN as well as the token generated identification number into the client and transmits this information to requesting RAS 216 for authentication. In so doing, RAS 216 is able to determine whether the client or user thereof has authorization to access RAS 216 .
  • PIN personal identification number
  • the present invention is also well suited to use with various other authentication methods and techniques.
  • intermediate device 210 causes the present deliverable security applet, loaded onto the client, to prompt the user for the PIN as well as the identification number generated by the token.
  • the client then forwards the client's authentication information (e.g. identification number, password, and the like) to intermediate device 210 .
  • client's authentication information e.g. identification number, password, and the like
  • the present embodiment forwards the client's authentication information (e.g. identification number, password, and the like) from intermediate device 210 to RAS 216 .
  • RAS 216 is able to determine whether or not the client has authorization to access RAS 216 , and RAS 216 then grants or denies access accordingly.
  • an unsophisticated consumer is able provide authentication response capability for one or more desired clients simply by coupling intermediate device 210 of the present embodiment to LAN 208 .
  • RAS 216 or other destination address will periodically request new authentication information. That is, in some instances a request for authentication information may be sent from RAS 216 , for example, every 30 minutes. In such an example, the present invention will repeat steps 412 through 418 as needed. Note that future authentication may require both the PIN as well as the identification number generated by the token to be entered. Alternatively, it may only require the identification number to be entered.
  • new clients will be added to LAN 208 once LAN 208 is already coupled to intermediate device 210 .
  • the operation of one embodiment of the present invention in such an instance is set forth in flow chart 500 of FIG. 5 .
  • a new client is coupled to LAN 218 of FIG. 2 .
  • step 504 the present embodiment determines whether the new client has the deliverable security applet installed thereon. If the new client already has the deliverable security applet running thereon, the present embodiment proceeds, for example to step 408 of FIG. 4 . If the new client does not have the present deliverable security applet loaded thereon the present invention proceeds to step 506 .
  • the present embodiment downloads the present deliverable security applet from memory 302 of intermediate device 210 to the new client via downloader 304 of FIG. 3 .
  • the present embodiment downloads the present deliverable security applet directly from intermediate device 210 onto each new client or clients as they are added.
  • an unsophisticated consumer is able to load the present deliverable security applet onto a newly added client simply by coupling the new client to LAN 208 .
  • the present invention provides a method and system for providing security during use of an intermediate device wherein the method and system allows a user of a client to be prompted for authentication information.
  • the present invention also provides a method and system which meets the above-listed need and which is independent of the operating system environment of the client to be authenticated.
  • the present invention further provides a method and system which meets the above listed needs and which does not require extensive consumer intervention or consumer sophistication.

Abstract

A method and system for providing security during use of an intermediate device which represents clients to a central site. In one embodiment of the invention, an intermediate device includes memory. The memory of the intermediate device is adapted to a store a deliverable security applet. Additionally, the intermediate device is configured to download the deliverable security applet to a desired location. The present embodiment also includes a client which is coupled to the intermediate device. The client is adapted to receive the deliverable security applet from the intermediate device when the intermediate device downloads the deliverable security applet to the client. In so doing, the client can be prompted to respond to requests for authentication of the client when the requests for authentication of the client are received by the intermediate device.

Description

TECHNICAL FIELD
The present invention generally pertains to the field of computer networking. More particularly, the present invention is related to and intermediate device representing clients to a central site.
BACKGROUND ART
Computers have become an integral tool used in a wide variety of different applications, such as in finance and commercial transactions, computer-aided design and manufacturing, health-care, telecommunication, education, etc. Computers are finding new applications as a result of advances in hardware technology and rapid development in software technology. Furthermore, a computer system's functionality is dramatically enhanced by coupling stand-alone computers together to form a computer network. In a computer network, users may readily exchange files, share information stored on a common database, pool resources, and communicate via e-mail and via video teleconferencing.
Computer networks can be arranged in numerous configurations comprising a variety of network types. Some of the most popular types of networks comprise Ethernet (coaxial cable or twisted-pair cable), token ring, Fiber Distributed Data Interface (FDDI), Frame Relay, Integrated Services Digital Network (ISDN), X.25, Synchronous Data Link Control (SDLC). Typically, these networks are arranged in local area networks (LANs) and wide area networks (WANs). Usually, LANs are distinguished from WANs based upon the geographical area they cover and sometimes the number of users connected to the network. For example, a group of personal computers (PCs) in a home or single business site (location) usually communicate with each other over a LAN. Groups of PCs disposed remote from one another, such as those in different homes, different companies, or different branch offices of the same company, typically communicate with each other over a WAN.
There has been an immense increase in the number of separate networks and the number of users communicating over these various networks. This growth has resulted in a tremendous need for connectivity capacity and the ability to accurately transmit information to an address corresponding to a particular PC or “client”. One approach that effectively expands address capacity is to provide address translation through a Network Address Translator (NAT).
Typically, a NAT is associated with a primary LAN and facilitates the transmission of communication from the primary LAN to a central site (e.g. a Remote Access Server (RAS) at an Internet Service Provider (ISP)). Specifically, the NAT allows several clients to share a common single connection to an ISP, thereby reducing the number of connections necessary to couple the numerous clients in the LAN to the ISP. Additionally, by allowing the numerous clients of the LAN to access the ISP over a single common connection, the NAT reduces the costs associated with coupling the numerous clients to the ISP. More specifically, instead of paying for a separate and distinct ISP account for each client in the LAN, only a single account (to connect the NAT to the ISP) need be purchased. Also, only a single globally routable Internet Protocol (IP) address is needed to be assigned by the RAS.
In operation, a conventional NAT translates a primary LAN address for a client to another network address associated with the NAT. A NAT performs an address translation by mapping an address of the primary LAN to an address in another network. For example, a user on a PC attached to a LAN may have a particular LAN address but that LAN address would not necessarily be valid if the user tried to utilize the LAN address as an Internet Protocol (IP) source address when communicating with an ISP over a WAN. Thus, one function a NAT typically provides is translation between a local LAN address (e.g. a local IP address) and a WAN address (e.g., an ISP designated source IP address). It will be understood that the primary LAN address for a client on the LAN does not typically change. On the other hand, a temporary IP source address provided by an ISP will, typically, change from session to session. There are numerous well-known NAT mapping techniques including static, dynamic, masquerading, etc. which are utilized in differing situations to meet a variety of design criteria.
Although conventional NATs have several advantages associated therewith, conventional prior art NATs also have significant drawbacks associated therewith. As an example, a particular client may seek to establish a link to, for example, a Remote Access Server (RAS). Alternatively, the NAT automatically establishes such a link when the user attempts to access a non-local internet site. In such cases, the NAT device interacts (i.e. establishes a link) with the RAS on behalf of the client. However, many RASs may require client authentication. Such a request for client authentication will be received by the NAT, but can only be properly responded to by the client or a user thereof. Hence, the NAT must, in some manner, communicate the received request for authentication to the appropriate client. Many conventional NATs are simply unable to convey such a request for authentication to the appropriate client. As a result, the RAS will not communicate with the NAT and, in turn, the client.
In one prior art attempt to solve this problem, each client on the LAN which is coupled to the NAT has a special application (e.g. a Terminate-and-Stay-Resident program) installed thereon. This prior art approach has several substantial disadvantages. First, a unique version of the special application must be written and installed for each client environment (i.e. the operating system of the client). That is, one version of the special application must be written for and installed on clients running, for example, Windows NT™. Another version of the special application must be written for and installed on clients running, for example, Windows 95™. Still another version of the special application must be written for and installed on clients running, for example, Windows 98™, and so on. This requirement is costly and time-consuming. Furthermore, the clients must be monitored and a new version of the special application must be installed thereon if the client environment changes (e.g. a client environment of Windows 95™ is updated to Windows 98™, and so on).
Finally, the requirement to monitor the client environment and install (and update) various versions of the special application demands extensive user intervention and also demands a level of sophistication which is beyond the scope of the ordinary consumer.
Thus, a need exists for a method and system for providing security during use of an intermediate device wherein the method and system allows a user of a client to be prompted for authentication information. A further need exists for a method and system which meets the above-listed need and which is independent of the operating system environment of the client to be authenticated. Yet another need exits for a method and system which meets the above listed needs and which does not require extensive consumer intervention or consumer sophistication.
DISCLOSURE OF THE INVENTION
The present invention provides a method and system for providing security during use of an intermediate device wherein the method and system allows a user of a client to be prompted for authentication information. The present invention also provides a method and system which meets the above-listed need and which is independent of the operating system environment of the client to be authenticated. The present invention further provides a method and system which meets the above listed needs and which does not require extensive consumer intervention or consumer sophistication.
Specifically, in one embodiment, an intermediate device includes memory. The memory of the intermediate device is adapted to a store a deliverable security applet. Additionally, the intermediate device is configured to download the deliverable security applet to a desired location. The present embodiment also includes a client which is coupled to the intermediate device. The client is adapted to receive the deliverable security applet from the intermediate device when the intermediate device downloads the deliverable security applet to the client. In so doing, the client can be prompted to respond to requests for authentication of the client when the requests for authentication of the client are received by the intermediate device.
In another embodiment, the present invention includes the features of the above-described embodiment and further recites that the intermediate device is a Network Address Translator (NAT).
In still another embodiment, the present invention includes the features, of the first above-described embodiment and further recites that the deliverable security applet is adapted to run on multiple client operating systems.
These and other advantages of the present invention will no doubt become obvious to those of ordinary skill in the art after having read the following detailed description of the preferred embodiments which are illustrated in the various drawing figures.
BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention:
FIG. 1 is a schematic diagram of an exemplary computer system used to perform steps of the present method in accordance with one embodiment of the present invention.
FIG. 2 is a schematic representation of a system for providing security during use of an intermediate device which represents clients to a central site in accordance with one embodiment of the present invention.
FIG. 3 is a schematic representation of an intermediate device for providing security during representation of clients to a central site in accordance with one embodiment of the present invention.
FIG. 4 is a flow chart of steps performed in accordance with one embodiment of the present claimed invention.
FIG. 5 is a flow chart of steps performed in accordance with one embodiment of the present claimed invention.
The drawings referred to in this description should be understood as not being drawn to scale except if specifically noted.
BEST MODE FOR CARRYING OUT THE INVENTION
Reference will now be made in detail to the preferred embodiments of the invention, examples of which are illustrated in the accompanying drawings. While the invention will be described in conjunction with the preferred embodiments, it will be understood that they are not intended to limit the invention to these embodiments. On the contrary, the invention is intended to cover alternatives, modifications and equivalents, which may be included within the spirit and scope of the invention as defined by the appended claims. Furthermore, in the following detailed description of the present invention, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it will be obvious to one of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well known methods, procedures, components, and circuits have not been described in detail as not to unnecessarily obscure aspects of the present invention.
Some portions of the detailed descriptions which follow are presented in terms of procedures, logic blocks, processing, and other symbolic representations of operations on data bits within a computer memory. These descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. In the present application, a procedure, logic block, process, etc., is conceived to be a self-consistent sequence of steps or instructions leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated in a computer system. It has proved convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussions, it is appreciated that throughout the present invention, discussions utilizing terms such as “storing”, “downloading”, “prompting”, “runing” or the like, refer to the actions and processes of a computer system, or similar electronic computing device. The computer system or similar electronic computing device manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission, or display devices. The present invention is also well suited to the use of other computer systems such as, for example, optical and mechanical computers.
COMPUTER SYSTEM ENVIRONMENT OF THE PRESENT INVENTION
With reference now to FIG. 1, portions of the present method and system are comprised of computer-readable and computer-executable instructions which reside, for example, in computer-usable media of a computer system. FIG. 1 illustrates an exemplary computer system 100 used to perform the present invention. It is appreciated that system 100 of FIG. 1 is exemplary only and that the present invention can operate within a number of different computer systems including general purpose networked computer systems, embedded computer systems, and stand alone computer systems. Furthermore, as will be describe d below in detail, the components of computer system 100 reside, for example, in a client computer and/or in the intermediate device of the present system and method. Additionally, computer system 100 of FIG. 1 is well adapted having computer readable media such as, for example, a floppy disk, a compact disc, and the like coupled thereto. Such computer readable media is not shown coupled to computer system 100 in FIG. 1 for purposes of clarity.
System 100 of FIG. 1 includes an address/data bus 102 for communicating information, and a central processor unit 104 coupled to bus 102 for processing information and instructions. Central processor unit 104 may be an 80×86-family microprocessor. System 100 also includes data storage features such as a computer usable volatile memory 106, e.g. random access memory (RAM), coupled to bus 102 for storing information and instructions for central processor unit 104, computer usable non-volatile memory 108, e.g. read only memory (ROM), coupled to bus 102 for storing static information and instructions for the central processor unit 104, and a data storage unit 110 (e.g., a magnetic or optical disk and disk drive) coupled to bus 102 for storing information and instructions. System 100 of the present invention also includes an optional alphanumeric input device 112 including alphanumeric and function keys is coupled to bus 102 for communicating information and command selections to central processor unit 104. System 100 also optionally includes a cursor control device 114 coupled to bus 102 for communicating user input information and command selections to central processor unit 104. System 100 of the present embodiment also includes an optional display device 116 coupled to bus 102 for displaying information. Additionally, computer system 100 of the present embodiment includes feature 118 for connecting computer system 100 to a LAN.
Referring still to FIG. 1, optional display device 116 of FIG. 1, may be a liquid crystal device, cathode ray tube, or other display device suitable for creating graphic images and alphanumeric characters recognizable to a user. Optional cursor control device 114 allows the computer user to dynamically signal the two dimensional movement of a visible symbol (cursor) on a display screen of display device 116. Many implementations of cursor control device 114 are known in the art including a trackball, mouse, touch pad, joystick or special keys on alphanumeric input device 112 capable of signaling movement of a given direction or manner of displacement. Alternatively, it will be appreciated that a cursor can be directed and/or activated via input from alphanumeric input device 112 using special keys and key sequence commands. The present invention is also well suited to directing a cursor by other means such as, for example, voice commands. A more detailed discussion of the method and system embodiments of the present invention are found below.
DETAILED DESCRIPTION OF THE STRUCTURE OF THE PRESENT INVENTION
With reference now to FIG. 2, a system for providing security during use of an intermediate device which represents clients to a central site is shown in accordance with one embodiment of the present invention. The present discussion will begin with a detailed description of the structure and physical components of the embodiments of the present invention. The discussion will then describe, in detail, the operation of the embodiments of the present invention. Referring again to FIG. 2, the present embodiment includes several clients 202, 204, and 206. In the present embodiment, clients 202, 204, and 206 are personal computers (PCs), however, although the clients are PCs in the present embodiment, the present invention is also well suited to an embodiment in which clients 202, 204, and 206 are comprised of devices other than PCs (e.g. personal digital assistants, servers, and the like). Clients 202, 204, and 206 of the present embodiment may contain, for example, the features of computer system 100 described above in detail in conjunction with FIG. 1. Additionally, although only three clients 202, 204, and 206 are shown for purposes of clarity, the present invention is also well suited to a system having a greater or lesser number of clients.
With reference still to FIG. 2, clients 202, 204, and 206 are coupled together via a local area network (LAN) 208. In so doing, clients 202, 204, and 206 are able to communicate with each other. Although a LAN 208 is shown in the present embodiment, the present invention is also well suited to use with various other networks configurations such as, for example, a wide area network (WAN).
Referring still to FIG. 2, the present embodiment also includes an intermediate device 210. As shown in FIG. 2, intermediate device 210 is coupled to LAN 208. As a result, intermediate device 210 is able to communicate with each of clients 202, 204, and 206. In the present embodiment, intermediate device 210 is a network address translator (NAT). However, the present invention is also applicable to intermediate devices other than a NAT. Intermediate device 210 of the present embodiment may contain, for example, the features of computer system 100 described above in detail in conjunction with FIG. 1. Additionally, as shown in FIG. 2, intermediate device 210 is configured to be coupled via a single connection 212 to a WAN 214 and then to RAS 216. Thus, clients 202, 204, and 206 are able to access RAS 216 via intermediate device 210, single connection 212 and WAN 214. RAS 216 is, in turn, coupled to, for example, the internet 218. Although such a system is shown in FIG. 2, it will be understood that the present invention is also well suited to operating in a system which is configured differently than the system shown in FIG. 2.
Referring now to FIG. 3, a schematic diagram of intermediate device 210 in accordance with one embodiment of the present invention is shown. In the present embodiment, intermediate device 210 includes memory 302, a downloader 304, and a user interface 306. Memory 302 of the present embodiment is adapted to a store a deliverable security applet therein. Downloader 304 is adapted to download the deliverable security applet from intermediate device 210 to a client(s) 202, 204, and 206 User interface 306 is adapted to allow a user of intermediate device to, for example, configure various operating parameters of intermediate device 306. In this embodiment, user interface 306 is, for example, a keypad, a display, and the like. The operation of the present embodiment including intermediate device 210 is set forth in detail below.
DETAILED DESCRIPTION OF THE OPERATION OF THE PRESENT INVENTION
With reference next to FIG. 4, a flow chart 400 of exemplary steps used by the present invention is shown. Flow chart 400 includes processes of the present invention which, in one embodiment, are carried out by a processor under the control of computer-readable and computer-executable instructions. The computer-readable and computer-executable instructions reside, for example, in data storage features such as computer usable volatile memory 106 and/or computer usable non-volatile memory 108 of FIG. 1. The computer-readable and computer-executable instructions are used to control or operate in conjunction with, for example, central processing unit 104 of FIG. 1. As mentioned above, the features of the computer system of FIG. 1 are well suited to being disposed, for example, in intermediate device 210 and/or clients 202, 204, and 206. Although specific steps are disclosed in flow chart 400 of FIG. 4, such steps are exemplary. That is, the present invention is well suited to performing various other steps or variations of the steps recited in FIG. 4.
In step 402 of FIG. 4, in one embodiment of the present invention, intermediate device 210 of FIGS. 2 and 3, is coupled to LAN 218 of FIG. 2. In so doing, intermediate device 210 is able to communicate with clients 202, 204, and 206 of FIG. 2. As mentioned above, in the present embodiment, intermediate device 210 is a NAT. Additionally, in the present embodiment, intermediate device 210 has a deliverable security applet stored in memory 302 thereof. In the present embodiment, the deliverable security applet is adapted to run on multiple client operating systems. That is, unlike prior art Terminate-and-Stay-Resident programs, the present deliverable security applet is initially stored in the memory of intermediate device 210, and the present deliverable security applet is not specifically written for any particular client environment or client operating system. That is, in one embodiment, the present invention takes advantage of JAVA which runs on the JAVA Virtual Machine. Hence, the JAVA applet is independent of the client operating system.
Referring now to step, 404 the present embodiment determines whether selected clients 202, 204, and 206 have the deliverable security applet installed thereon. In the present embodiment, the deliverable security applet is executable on a browser program running on clients 202, 204, and 206. Thus, in the present embodiment, clients 202, 204, and 206 have a browser program running thereon. If the selected clients 202, 204, and 206 already have the deliverable security applet running thereon, the present embodiment proceeds to step 408. If the selected clients 202, 204, and 206 do not have the present deliverable security applet loaded thereon the present invention proceeds to step 406.
At step 406, the present embodiment downloads the present deliverable security applet from memory 302 of intermediate device 210 to the desired clients 202, 204, and 206 via downloader 304 of FIG. 3. Thus, unlike prior art approaches which require that a special application be loaded directly onto each client by a user, the present embodiment downloads the present deliverable security applet directly from intermediate device 210 onto a selected client or clients. Thus, even an unsophisticated consumer is able to load the present deliverable security applet onto a selected client simply by coupling intermediate device 210 to LAN 208.
With reference still to step 406, as mentioned above, the present deliverable security applet is not specifically written for any particular client environment or client operating system. Thus, the present deliverable security applet eliminates the need to write and install on each client a unique version of a special application. Therefore, the present invention does not require a user to monitor each client environments and install (and/or update) the versions of special application. Instead, the present deliverable security applet functions regardless of the operating system of the client.
Referring still to step 406, in the present embodiment, deliverable security applet is a JAVA applet which executes on a browser program running on the client. The present deliverable security applet causes the client to be prompted to respond to requests for authentication of the client when such requests for authentication are received by intermediate device 210. Additionally, the present embodiment is also well suited to downloading the present deliverable security applet to a selected at least one of a plurality of clients 202, 204, and 206. That is, a user of intermediate device 210 is able to selectively download the present deliverable security applet from intermediate device 210 to only a desired client or clients. In such a case, a user configures intermediate device 210 using, for example, user interface 306, such that the present deliverable security applet is downloaded only to the desired client or clients.
At step 408, a client 202, 204, or 206, seeks to access RAS 218. This occurs, for example, when the client 202, 204, or 206 sends non-local data which results in a call being placed to RAS 216 so that the internet can be accessed.
Next, at step 410, intermediate device 210 establishes a link between intermediate device 210 and RAS 216 via single connection 212 and WAN 214.
Referring now to step 412, after the link was established at step 410, RAS 216 sends a request for authentication of the client. The request for authentication sent from RAS 216 is then received at intermediate device 210. However, the authentication information is not present at intermediate device 210. Instead, the authentication information must be provided by the appropriate client or a user thereof. One example of an authentication requires that the user of the client carry a token and be aware of an associated personal identification number (PIN). The token generates a time-variable identification number. RAS 216 will know which identification number should be generated by the token at a particular time. The user then enters the PIN as well as the token generated identification number into the client and transmits this information to requesting RAS 216 for authentication. In so doing, RAS 216 is able to determine whether the client or user thereof has authorization to access RAS 216. Although such an authentication method is recited in the present embodiment, the present invention is also well suited to use with various other authentication methods and techniques.
Thus, at step 414, intermediate device 210 causes the present deliverable security applet, loaded onto the client, to prompt the user for the PIN as well as the identification number generated by the token.
Next, at step 416, the client then forwards the client's authentication information (e.g. identification number, password, and the like) to intermediate device 210.
Then, at step 418, the present embodiment forwards the client's authentication information (e.g. identification number, password, and the like) from intermediate device 210 to RAS 216. As a result, RAS 216 is able to determine whether or not the client has authorization to access RAS 216, and RAS 216 then grants or denies access accordingly. Thus, even an unsophisticated consumer is able provide authentication response capability for one or more desired clients simply by coupling intermediate device 210 of the present embodiment to LAN 208.
In some instances, RAS 216 or other destination address will periodically request new authentication information. That is, in some instances a request for authentication information may be sent from RAS 216, for example, every 30 minutes. In such an example, the present invention will repeat steps 412 through 418 as needed. Note that future authentication may require both the PIN as well as the identification number generated by the token to be entered. Alternatively, it may only require the identification number to be entered.
Additionally, in some instances new clients will be added to LAN 208 once LAN 208 is already coupled to intermediate device 210. The operation of one embodiment of the present invention in such an instance is set forth in flow chart 500 of FIG. 5. In step 502 of FIG. 5, a new client is coupled to LAN 218 of FIG. 2.
Referring now to step, 504 the present embodiment determines whether the new client has the deliverable security applet installed thereon. If the new client already has the deliverable security applet running thereon, the present embodiment proceeds, for example to step 408 of FIG. 4. If the new client does not have the present deliverable security applet loaded thereon the present invention proceeds to step 506.
At step 506, the present embodiment downloads the present deliverable security applet from memory 302 of intermediate device 210 to the new client via downloader 304 of FIG. 3. Thus, unlike prior art approaches which require that a special application be loaded directly onto each new client by a user, the present embodiment downloads the present deliverable security applet directly from intermediate device 210 onto each new client or clients as they are added. Thus, even an unsophisticated consumer is able to load the present deliverable security applet onto a newly added client simply by coupling the new client to LAN 208.
Thus, the present invention provides a method and system for providing security during use of an intermediate device wherein the method and system allows a user of a client to be prompted for authentication information. The present invention also provides a method and system which meets the above-listed need and which is independent of the operating system environment of the client to be authenticated. The present invention further provides a method and system which meets the above listed needs and which does not require extensive consumer intervention or consumer sophistication.
The foregoing descriptions of specific embodiments of the present invention have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order best to explain the principles of the invention and its practical application, to thereby enable others skilled in the art best to utilize the invention and various embodiments with various modifications suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims appended hereto and their equivalents.

Claims (28)

What is claimed is:
1. A system for providing security during use of an intermediate device which represents clients to a central site, said system comprising:
an intermediate device, said intermediate device including memory adapted to a store a deliverable security applet, said intermediate device configured to download said deliverable security applet to a desired location; and
a client coupled to said intermediate device, said client adapted to receive said deliverable security applet from said intermediate device when said intermediate device downloads said deliverable security applet to said client such that said client can be prompted to respond to requests for authentication of said client when said requests for authentication of said client are received by said intermediate device.
2. The system of claim 1 for providing security during use of an intermediate device wherein said intermediate device is a Network Address Translator (NAT).
3. The system of claim 1 for providing security during use of an intermediate device wherein said deliverable security applet is adapted to run on multiple client operating systems.
4. The system of claim 1 for providing security during use of an intermediate device wherein said deliverable security applet is a JAVA applet.
5. The system of claim 1 for providing security during use of an intermediate device wherein said deliverable security applet executes on a browser program running on said client.
6. The system of claim 1 for providing security during use of an intermediate device wherein said deliverable security applet is adapted to prompt a user of said client for authentication information when said requests for authentication of said client are received by said intermediate device.
7. The system of claim 1 for providing security during use of an intermediate device wherein said intermediate device is further adapted to download said deliverable security applet to a selected at least one of a plurality of said clients.
8. An intermediate device adapted for providing authentication of a client coupled to said intermediate device, said intermediate device comprising:
memory adapted to a store a deliverable security applet, said intermediate device configured to download said deliverable security applet to a desired client such that said client can be prompted to respond to requests for authentication of said client when said requests for authentication of said client are received by said intermediate device.
9. The intermediate device of claim 8 adapted for providing authentication of a client coupled to said intermediate device wherein said intermediate device is a Network Address Translator (NAT).
10. The intermediate device of claim 8 adapted for providing authentication of a client coupled to said intermediate device wherein said deliverable security applet is adapted to run on multiple client operating systems.
11. The intermediate device of claim 8 adapted for providing authentication of a client coupled to said intermediate device wherein said deliverable security applet is a JAVA applet.
12. The intermediate device of claim 8 adapted for providing authentication of a client coupled to said intermediate device wherein said deliverable security applet executes on a browser program running on said client.
13. The intermediate device of claim 8 adapted for providing authentication of a client coupled to said intermediate device wherein said deliverable security applet is adapted to prompt a user of said client for authentication information when said requests for authentication of said client are received by said intermediate device.
14. The intermediate device of claim 8 adapted for providing authentication of a client coupled to said intermediate device wherein said intermediate device is further adapted to download said deliverable security applet to a selected at least one of a plurality of said clients.
15. A method for providing authentication of a client coupled to an intermediate device, said method comprising the steps of:
a) storing a deliverable security applet in memory of an intermediate device; and
b) downloading said deliverable security applet to a desired client such that said client can be prompted to respond to requests for authentication of said client when said requests for authentication of said client are received by said intermediate device.
16. The method for providing authentication of a client coupled to an intermediate device as recited in claim 15 wherein step a) comprises:
storing said deliverable security applet in memory of a Network Address Translator (NAT).
17. The method for providing authentication of a client coupled to an intermediate device as recited in claim 15 wherein step a) comprises:
storing a deliverable security applet in memory of an intermediate device wherein said deliverable security applet is adapted to run on multiple client operating systems.
18. The method for providing authentication of a client coupled to an intermediate device as recited in claim 15 wherein step a) comprises:
storing a deliverable security JAVA applet in memory of an intermediate device.
19. The method for providing authentication of a client coupled to an intermediate device as recited in claim 15 wherein step a) comprises:
storing a deliverable security applet in memory of an intermediate device wherein said deliverable security applet is executable on a browser program running on a client.
20. The method for providing authentication of a client coupled to an intermediate device as recited in claim 15 wherein step b) comprises:
downloading said deliverable security applet to a desired client such that a user of said client can be prompted to respond to requests for authentication of said client when said requests for authentication of said client are received by said intermediate device.
21. The method for providing authentication of a client coupled to an intermediate device as recited in claim 15 wherein step b) comprises:
downloading said deliverable security applet to a selected at least one of a plurality of said clients.
22. In a computer system having a processor coupled to a bus, a computer readable medium coupled to said bus and having stored therein a computer program that when executed by said processor causes said computer system to implement a method for providing authentication of a client coupled to an intermediate device, said method comprising the steps of:
a) storing a deliverable security applet in memory of an intermediate device; and
b) downloading said deliverable security applet to a desired client such that said client can be prompted to respond to requests for authentication of said client when said requests for authentication of said client are received by said intermediate device.
23. A computer readable memory unit as described in claim 22 wherein step a) of said computer implemented method stored on said computer readable medium further comprises:
storing said deliverable security applet in memory of a Network Address Translator (NAT).
24. A computer readable memory unit as described in claim 22 wherein step a) of said computer implemented method stored on said computer readable medium further comprises:
storing a deliverable security applet in memory of an intermediate device wherein said deliverable security applet is adapted to run on multiple client operating systems.
25. A computer readable memory unit as described in claim 22 wherein step a) of said computer implemented method stored on said computer readable medium further comprises:
storing a deliverable security JAVA applet in memory of an intermediate device.
26. A computer readable memory unit as described in claim 22 wherein step a) of said computer implemented method stored on said computer readable medium further comprises:
storing a deliverable security applet in memory of an intermediate device wherein said deliverable security applet is executable on a browser program running on a client.
27. A computer readable memory unit as described in claim 22 wherein step b) of said computer implemented method stored on said computer readable medium further comprises:
downloading said deliverable security applet to a desired client such that a user of said client can be prompted to respond to requests for authentication of said client when said requests for authentication of said client are received by said intermediate device.
28. A computer readable memory unit as described in claim 22 wherein step b) of said computer implemented method stored on said computer readable medium further comprises:
downloading said deliverable security applet to a selected at least one of a plurality of said clients.
US09/164,209 1998-09-30 1998-09-30 Security through the use of tokens and automatically downloaded applets Expired - Lifetime US6327662B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US09/164,209 US6327662B1 (en) 1998-09-30 1998-09-30 Security through the use of tokens and automatically downloaded applets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US09/164,209 US6327662B1 (en) 1998-09-30 1998-09-30 Security through the use of tokens and automatically downloaded applets

Publications (1)

Publication Number Publication Date
US6327662B1 true US6327662B1 (en) 2001-12-04

Family

ID=22593453

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/164,209 Expired - Lifetime US6327662B1 (en) 1998-09-30 1998-09-30 Security through the use of tokens and automatically downloaded applets

Country Status (1)

Country Link
US (1) US6327662B1 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6393488B1 (en) * 1999-05-27 2002-05-21 3Com Corporation System and method for supporting internet protocol subnets with network address translators
US20030229779A1 (en) * 2002-06-10 2003-12-11 Morais Dinarte R. Security gateway for online console-based gaming
US20040268152A1 (en) * 2003-06-27 2004-12-30 Wrq, Inc. Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
US20050005133A1 (en) * 2003-04-24 2005-01-06 Xia Sharon Hong Proxy server security token authorization
US6854006B1 (en) * 1999-05-31 2005-02-08 International Business Machines Corporation System and method for merging web based on-demand SNA application selection and TN3270 client launching
WO2004077259A3 (en) * 2003-02-24 2005-05-19 Bea Systems Inc System and method for server load balancing and server affinity
US7181535B1 (en) * 1998-12-24 2007-02-20 France Telecom Addressing method and name and address server in a digital network
US20070050840A1 (en) * 2005-07-29 2007-03-01 Michael Grandcolas Methods and systems for secure user authentication
US20100293100A1 (en) * 2000-04-17 2010-11-18 Verisign, Inc. Authenticated Payment
US7904946B1 (en) 2005-12-09 2011-03-08 Citicorp Development Center, Inc. Methods and systems for secure user authentication
US20110197266A1 (en) * 2005-12-09 2011-08-11 Citicorp Development Center, Inc. Methods and systems for secure user authentication
CN102271136A (en) * 2011-08-16 2011-12-07 赛尔网络有限公司 Access control method and equipment under NAT (Network Address Translation) network environment
US9002750B1 (en) 2005-12-09 2015-04-07 Citicorp Credit Services, Inc. (Usa) Methods and systems for secure user authentication
US20170012978A1 (en) * 2015-05-14 2017-01-12 River Security Inc. Secure communication method and apparatus
US10142297B2 (en) 2015-05-14 2018-11-27 River Security Inc. Secure communication method and apparatus

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958051A (en) * 1996-11-27 1999-09-28 Sun Microsystems, Inc. Implementing digital signatures for data streams and data archives
US6247133B1 (en) * 1998-02-23 2001-06-12 Frank A. Cona Method for authenticating electronic documents on a computer network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958051A (en) * 1996-11-27 1999-09-28 Sun Microsystems, Inc. Implementing digital signatures for data streams and data archives
US6247133B1 (en) * 1998-02-23 2001-06-12 Frank A. Cona Method for authenticating electronic documents on a computer network

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181535B1 (en) * 1998-12-24 2007-02-20 France Telecom Addressing method and name and address server in a digital network
US6393488B1 (en) * 1999-05-27 2002-05-21 3Com Corporation System and method for supporting internet protocol subnets with network address translators
US6854006B1 (en) * 1999-05-31 2005-02-08 International Business Machines Corporation System and method for merging web based on-demand SNA application selection and TN3270 client launching
US7983993B2 (en) * 2000-04-17 2011-07-19 Verisign, Inc. Authenticated payment
US20100293100A1 (en) * 2000-04-17 2010-11-18 Verisign, Inc. Authenticated Payment
US7650495B2 (en) 2002-06-10 2010-01-19 Microsoft Corporation Security gateway for online console-based gaming
US20030229779A1 (en) * 2002-06-10 2003-12-11 Morais Dinarte R. Security gateway for online console-based gaming
EP1372315A2 (en) * 2002-06-10 2003-12-17 Microsoft Corporation Security gateway for online console-based gaming
EP1372315A3 (en) * 2002-06-10 2004-01-28 Microsoft Corporation Security gateway for online console-based gaming
US20080177997A1 (en) * 2002-06-10 2008-07-24 Microsoft Corporation Security gateway for online console-based gaming
US7370194B2 (en) 2002-06-10 2008-05-06 Microsoft Corporation Security gateway for online console-based gaming
WO2004077259A3 (en) * 2003-02-24 2005-05-19 Bea Systems Inc System and method for server load balancing and server affinity
US7836493B2 (en) 2003-04-24 2010-11-16 Attachmate Corporation Proxy server security token authorization
US20050005133A1 (en) * 2003-04-24 2005-01-06 Xia Sharon Hong Proxy server security token authorization
US20040268152A1 (en) * 2003-06-27 2004-12-30 Wrq, Inc. Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
US8214884B2 (en) * 2003-06-27 2012-07-03 Attachmate Corporation Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
US8181232B2 (en) 2005-07-29 2012-05-15 Citicorp Development Center, Inc. Methods and systems for secure user authentication
US20070050840A1 (en) * 2005-07-29 2007-03-01 Michael Grandcolas Methods and systems for secure user authentication
US7904946B1 (en) 2005-12-09 2011-03-08 Citicorp Development Center, Inc. Methods and systems for secure user authentication
US20110197266A1 (en) * 2005-12-09 2011-08-11 Citicorp Development Center, Inc. Methods and systems for secure user authentication
US9002750B1 (en) 2005-12-09 2015-04-07 Citicorp Credit Services, Inc. (Usa) Methods and systems for secure user authentication
US9768963B2 (en) 2005-12-09 2017-09-19 Citicorp Credit Services, Inc. (Usa) Methods and systems for secure user authentication
US11394553B1 (en) 2005-12-09 2022-07-19 Citicorp Credit Services, Inc. (Usa) Methods and systems for secure user authentication
US11917069B1 (en) 2005-12-09 2024-02-27 Citicorp Credit Services, Inc. (Usa) Methods and systems for secure user authentication
CN102271136A (en) * 2011-08-16 2011-12-07 赛尔网络有限公司 Access control method and equipment under NAT (Network Address Translation) network environment
US20170012978A1 (en) * 2015-05-14 2017-01-12 River Security Inc. Secure communication method and apparatus
US10142297B2 (en) 2015-05-14 2018-11-27 River Security Inc. Secure communication method and apparatus

Similar Documents

Publication Publication Date Title
US6327662B1 (en) Security through the use of tokens and automatically downloaded applets
US6438600B1 (en) Securely sharing log-in credentials among trusted browser-based applications
US7293115B2 (en) Internet-aware agent for automatically updating applications without executing the application
US7024497B1 (en) Methods for accessing remotely located devices
US8527615B2 (en) Apparatus and method for determining a program neighborhood for a client node in a client-server network
US6643690B2 (en) Apparatus and method for determining a program neighborhood for a client node in a client-server network
US5999971A (en) Apparatus and method for identifying clients accessing network sites
JP4800966B2 (en) Seamless discovery of remote applications installed on workstations from an extranet
US20030069948A1 (en) Automated online subscription
US8195806B2 (en) Managing remote host visibility in a proxy server environment
JP4550067B2 (en) Presenting a merged view of remote application shortcuts from multiple providers
JPH10116195A (en) Mechanism for finding out the position of object by secure system
KR100354369B1 (en) Information processing method, information processing apparatus, and storage medium for storing an information processing program
US20110145915A1 (en) Method for managing authentication procedures for a user
WO1995017063A1 (en) Object-oriented secured communications system
WO1999008208A1 (en) Internet transaction processing interface
US6385648B1 (en) Method for initializing a box on a data communications network
CN100465950C (en) Web browser command button for client support
US7506033B2 (en) System and method for remotely accessing a client in a client server environment
US7350206B2 (en) Method to reduce provisioning time in shared storage systems by preemptive copying of images
US11003463B2 (en) Virtual desktop
Cisco Accessing Remote File Servers
Cisco Accessing Remote File Servers
Cisco Accessing Remote File Servers
Cisco Accessing Remote File Servers

Legal Events

Date Code Title Description
AS Assignment

Owner name: 3COM CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ARAUJO, KENNETH;REEL/FRAME:009595/0495

Effective date: 19981103

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

SULP Surcharge for late payment

Year of fee payment: 7

REMI Maintenance fee reminder mailed
AS Assignment

Owner name: HEWLETT-PACKARD COMPANY, CALIFORNIA

Free format text: MERGER;ASSIGNOR:3COM CORPORATION;REEL/FRAME:024630/0820

Effective date: 20100428

AS Assignment

Owner name: HEWLETT-PACKARD COMPANY, CALIFORNIA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE SEE ATTACHED;ASSIGNOR:3COM CORPORATION;REEL/FRAME:025039/0844

Effective date: 20100428

AS Assignment

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:027329/0044

Effective date: 20030131

AS Assignment

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS

Free format text: CORRECTIVE ASSIGNMENT PREVIUOSLY RECORDED ON REEL 027329 FRAME 0001 AND 0044;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:028911/0846

Effective date: 20111010

FPAY Fee payment

Year of fee payment: 12

AS Assignment

Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.;REEL/FRAME:037079/0001

Effective date: 20151027